Rewrite for Podman based infrastructure

Replace Docker buildx based container building with buildah configured
for running in a Forgejo runner that's inside a rootless Podman
deployment.

This also removes kubectl and ansible as my infrastructure is not going
to target these technologies for deployment.

.forgejo/workflows/build.yaml

@@ -1,56 +1,43 @@
-on: [push]
-env:
-  REGISTRY: forgejo.sbox.hornwitser.no
-  REGISTRY_IMAGE: forgejo.sbox.hornwitser.no/furnavia/builder
-
-jobs:
-  build:
-    runs-on: docker
-    container:
-      image: node:20-bookworm
-    steps:
-      -
-        name: Install docker
-        run: |
-          apt-get update
-          apt-get install -y --no-install-recommends ca-certificates curl git
-          install -m 0755 -d /etc/apt/keyrings
-          curl -sSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
-          chmod a+r /etc/apt/keyrings/docker.asc
-          echo \
-            "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
-            https://download.docker.com/linux/debian \
-            bookworm stable" \
-          > /etc/apt/sources.list.d/docker.list
-          apt-get update
-          apt-get install -y --no-install-recommends docker-ce-cli docker-buildx-plugin docker-compose-plugin
-      -
-        name: Get image tags
-        id: info
-        shell: bash
-        run: |
-          tee -a ${GITHUB_OUTPUT} <<EOF
-          TAGS<<EOT
-          $(
-            echo ${{ env.REGISTRY_IMAGE }}:${{ github.ref_name }}
-            if [[ "${{ github.ref_name }}" =~ ^r[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-              echo ${{ env.REGISTRY_IMAGE }}:latest
-            elif [[ "${{ github.ref_name }}" == forgejo ]]; then
-              echo ${{ env.REGISTRY_IMAGE }}:development
-            fi
-          )
-          EOT
-          EOF
-      -
-        name: Authenticate
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-          registry: ${{ env.REGISTRY }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          push: true
-          tags: ${{ steps.info.outputs.TAGS }}
+on:
+  push:
+env:
+  REGISTRY_IMAGE: ${{ vars.REGISTRY }}/${{ github.repository }}:${{ github.ref_name }}
+
+jobs:
+  build:
+    runs-on: debian
+    steps:
+      -
+        name: Install and configure dependencies
+        run: |
+          apt-get update
+          apt-get install -y --no-install-recommends \
+            buildah \
+            ca-certificates \
+            containers-storage \
+            crun \
+            git \
+            netavark \
+          ;
+          shared=/var/lib/shared/storage
+          sed /usr/share/containers/storage.conf \
+            -e "/^additionalimagestores/a"'\
+            '"\"$shared\"" \
+          > /etc/containers/storage.conf
+      -
+        name: Checkout repository
+        run: |
+          git config --global credential.helper store
+          echo "https://runner:${{ secrets.GITHUB_TOKEN }}@$(echo "${{ github.server_url }}" | cut -b 9-)" > ~/.git-credentials
+          git clone --branch ${{ github.ref_name }} ${{ github.server_url }}/${{ github.repository }} ${{ github.workspace }}
+      -
+        name: Authenticate with registry
+        run: |
+          echo "${{ secrets.REGISTRY_TOKEN }}" | buildah login ${{ vars.REGISTRY }} --username runner --password-stdin
+      -
+        name: Build and push
+        run: |
+          export BUILDAH_ISOLATION=chroot
+          export _BUILDAH_STARTED_IN_USERNS=""
+          ${{ github.workspace }}/builder.sh ${{ env.REGISTRY_IMAGE }}
+          buildah push ${{ env.REGISTRY_IMAGE }}

.gitlab-ci.yml

@@ -1,17 +0,0 @@
-default:
-  image: docker:24.0.5
-
-build:
-  stage: build
-  script:
-    - docker build $CI_PROJECT_DIR
-      --tag ${REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}
-      $(echo "$CI_COMMIT_TAG" | if grep -q $(date -u '+^r%g\.%-V\.\(0\|[1-9][0-9]*\)$');
-        then echo --tag ${REGISTRY_IMAGE}:latest;
-      fi)
-
-deploy:
-  stage: deploy
-  script:
-    - echo "$REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $REGISTRY_USER --password-stdin
-    - docker push --all-tags ${REGISTRY_IMAGE}

Dockerfile

@@ -1,60 +0,0 @@
-FROM debian:bookworm
-
-ARG KUBE_RELEASE=v1.30.2
-ARG YQ_VERSION=v4.44.2
-ARG NODE_VERSION=20.x
-ARG PNPM_VERSION=v9.5.0
-ARG UBUNTU_CODENAME=jammy
-
-RUN set -eux; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		ca-certificates \
-		curl \
-		git \
-		gpg \
-		openssh-client \
-	; \
-	install -m 0755 -d /etc/apt/keyrings; \
-	curl -sSL "https://keyserver.ubuntu.com/pks/lookup?fingerprint=on&op=get&search=0x6125E2A8C77F2818FB7BD15B93C4A3FD7BB9C367" \
-		> /etc/apt/keyrings/ansible.asc \
-	; \
-	echo \
-		"deb [signed-by=/etc/apt/keyrings/ansible.asc] \
-		http://ppa.launchpad.net/ansible/ansible/ubuntu \
-		$UBUNTU_CODENAME main" \
-	> /etc/apt/sources.list.d/ansible.list; \
-	curl -sSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc; \
-	chmod a+r /etc/apt/keyrings/docker.asc; \
-	echo \
-		"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
-		https://download.docker.com/linux/debian \
-		bookworm stable" \
-	> /etc/apt/sources.list.d/docker.list; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends \
-		ansible \
-		docker-ce-cli \
-		docker-buildx-plugin \
-		docker-compose-plugin \
-	; \
-	curl --silent --location "https://dl.k8s.io/release/$KUBE_RELEASE/bin/linux/amd64/kubectl" \
-		| install --owner=root --group=root --mode=0755 /dev/stdin /usr/local/bin/kubectl \
-	; \
-	curl --silent --location "https://github.com/mikefarah/yq/releases/download/$YQ_VERSION/yq_linux_amd64.tar.gz" \
-		| tar --extract --gzip --to-stdout ./yq_linux_amd64 \
-		| install --owner=root --group=root --mode=0755 /dev/stdin /usr/local/bin/yq \
-	; \
-	curl --silent --location "https://deb.nodesource.com/setup_$NODE_VERSION" | bash; \
-	apt-get install -y --no-install-recommends nodejs; \
-	corepack install --global pnpm@$PNPM_VERSION; \
-	corepack enable pnpm; \
-	rm -rf /var/lib/apt/lists/*
-
-# References:
-# - ansible: https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansible-on-debian
-# - docker: https://docs.docker.com/engine/install/debian/#install-from-a-package
-# - kubectl: https://kubectl.docs.kubernetes.io/installation/kubectl/binaries/
-# - node: https://github.com/nodesource/distributions#installation-instructions-deb
-# - pnpm: https://nodejs.org/api/corepack.html#upgrading-the-global-versions
-# - yq: https://github.com/mikefarah/yq?tab=readme-ov-file#install

Readme.md

@@ -1,16 +1,14 @@
 # Builder
 
-Common docker image used for running application builds, CI pipelines, and deployment scripts based on Debian 12.
+Common container image used for running application builds, CI pipelines, and deployment scripts based on Debian Trixie.
 
 ## Tools included
 
-- `ansible` latest - https://www.ansible.com/
-- `docker` latest - https://www.docker.com/
-- `curl` bookworm - https://packages.debian.org/bookworm/curl
-- `git` bookworm - https://packages.debian.org/bookworm/git
-- `gpg` bookworm - https://packages.debian.org/bookworm/gpg
-- `kubectl` v1.30.2 - https://kubectl.docs.kubernetes.io/
-- `node` v20.x - https://nodejs.org/
+- `buildah` trixie - https://packages.debian.org/trixie/buildah
+- `curl` trixie - https://packages.debian.org/trixie/curl
+- `git` trixie - https://packages.debian.org/trixie/git
+- `node` v22.x - https://github.com/nodesource/distributions
 - `pnpm` v9.5.0 - https://pnpm.io/
-- `ssh` bookworm - https://packages.debian.org/bookworm/openssh-client
+- `podman` trixie - https://packages.debian.org/trixie/podman
+- `ssh` trixie - https://packages.debian.org/trixie/openssh-client
 - `yq` v4.44.2 - https://github.com/mikefarah/yq

builder.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+set -xe
+
+YQ_VERSION=v4.44.2
+NODE_VERSION=22.x
+PNPM_VERSION=v9.5.0
+
+ctr=$(buildah from "docker.io/library/debian:trixie-20250428")
+mnt=$(buildah mount $ctr) # Used to verify mounts work
+
+# Install dependencies
+buildah run $ctr -- apt-get update
+buildah run $ctr -- apt-get install -y --no-install-recommends \
+	buildah \
+	ca-certificates \
+	containers-storage \
+	crun \
+	curl \
+	git \
+	netavark \
+	openssh-client \
+	podman \
+	podman-docker \
+;
+
+# Configure container storage
+shared=/var/lib/shared/storage
+buildah run $ctr -- sh -c "sed /usr/share/containers/storage.conf \
+	-e '/^additionalimagestores/a"'\
+'"  \"$shared\"' \
+> /etc/containers/storage.conf"
+buildah run $ctr -- sh -c "\
+	mkdir -p $shared/overlay-images $shared/overlay-layers; \
+	touch $shared/overlay-images/images.lock; \
+	touch $shared/overlay-layers/layers.lock; \
+"
+
+# yq https://github.com/mikefarah/yq?tab=readme-ov-file#install
+buildah run $ctr -- sh -c "curl --silent --location \"https://github.com/mikefarah/yq/releases/download/$YQ_VERSION/yq_linux_amd64.tar.gz\" \
+	| tar --extract --gzip --to-stdout ./yq_linux_amd64 \
+	| install --owner=root --group=root --mode=0755 /dev/stdin /usr/local/bin/yq \
+;"
+
+# node https://github.com/nodesource/distributions?tab=readme-ov-file#using-debian-as-root-nodejs-22
+buildah run $ctr -- sh -c "curl --silent --location \"https://deb.nodesource.com/setup_$NODE_VERSION\" | bash"
+buildah run $ctr -- apt-get install -y --no-install-recommends nodejs
+
+# pnpm https://nodejs.org/api/corepack.html#upgrading-the-global-versions
+buildah run $ctr -- corepack install --global pnpm@$PNPM_VERSION
+buildah run $ctr -- corepack enable pnpm
+
+# Clear caches
+buildah run $ctr -- rm -rf /var/lib/apt/lists/*
+
+# Config
+buildah config \
+	--env BUILDAH_ISOLATION=chroot \
+	--env _BUILDAH_STARTED_IN_USERNS= \
+$ctr;
+
+buildah unmount $ctr
+buildah commit --rm $ctr $1